Will fileless malware push the antivirus industry into oblivion?

The death of antivirus has been prophesied for years now, but the AV industry is still alive and kicking. SentinelOne, though, believes that in-memory resident attacks, i.e. fileless malware, just might be the thing that pushes it into oblivion.

They base their conjecture on the results of the attack detections made through over a million of SentinelOne Endpoint Protection Platform agents, deployed in enterprise environments across the world. These detections are made at the endpoint, i.e. they only include the attacks that were not mitigated by other security technologies before reaching the endpoint.

The results show that, from August to November 2016, the threats that come from document-based files (usually MS Word and Adobe PDF) have a pretty steady incidence.

At the same time, the percentage of attacks coming from executable files has been falling, while the rate of successful attacks detected only in the memory of the system have risen.

This latter type of attack may exploit existing operating system resources, and run code or instructions directly from memory, leaving no associated new artefacts on the system.

Characteristics of in-memory resident attacks

“Often the originating object will be cmd.exe, powershell.exe or mshta.exe, as legitimate and essential operating systems resources that are subverted as
the payload platform during the exploitation stage, instigated frequently either by a document received by email, malicious script or an active code component on a web page,” SentinelOne researchers noted.

“There are many different methods and tools that we detected trying to gain a foothold in memory; WMI persistence is one such tactic. This type of technique was first discovered during the investigation into Stuxnet and later also identified as a method used in the attack on the Democratic National Committee,” they shared.

“Another common attack pattern we see is a ‘live’ or interactive attack, where the attacker delivers a weaponized document and is able to employ a meterpreter reverse shell, powersploit payload or red team testing frameworks. We often see hackers invoke reflective injection techniques to run late stage tools such as mimikatz, to gather credentials on the impacted system. We routinely spot the insertion of javascript into command line instructions and observed an increasing trend in exploits issuing malware payloads in shellcode rather than a file.”

The rise of the fileless threat

According to Kaspersky Lab researchers, fileless malware is being used in attacks by both targeted threat actors and cybercriminals in general.

“We have seen such techniques being widely adopted in the last few months. We find examples in the lateral movement tools used in Shamoon attacks, in attacks against Eastern European banks, and used by different APT actors such as CloudComputating, Lungen or HiddenGecko, as well as in the evolution of old backdoors like Hikit, which evolved to new fileless versions,” they noted.

“This trend makes traditional forensic analysis harder, traditional IOCs such as file hashes obsolete, application whitelisting more difficult, and antivirus evasion easier. It also helps to evade most of the log activity.”

SentinelOne also pointed out that the Angler EK now has a fileless option, and Kovter, Phasebot, Powersniff and LatentBot are just some of the recent examples of threats employing in-memory tactics.

And while executable files are still a highly-encountered type of threat, fileless threats should not be discounted, especially as they have an easier time evading traditional and static file inspection dependent security models.